[Infowarrior] - Unencrypted Windows crash reports give 'significant advantage' to hackers, spies

[Richard Forno]

Unencrypted Windows crash reports give 'significant advantage' to
hackers, spies

Microsoft transmits a wealth of information from Windows PCs to its
servers in the clear, claims security researcher

Gregg Keizer

http://www.computerworld.com/s/article/9245092/Unencrypted_Windows_crash_reports_give_significant_advantage_to_hackers_spies

December 31, 2013 (Computerworld)

Windows' error- and crash-reporting system sends a wealth of data
unencrypted and in the clear, information that eavesdropping hackers or
state security agencies can use to refine and pinpoint their attacks, a
researcher said today.

Not coincidentally, over the weekend the popular German newsmagazine Der
Spiegel reported that the U.S. National Security Agency (NSA) collects
Windows crash reports from its global wiretaps to sniff out details of
targeted PCs, including the installed software and operating systems,
down to the version numbers and whether the programs or OSes have been
patched; application and operating system crashes that signal
vulnerabilities that could be exploited with malware; and even the
devices and peripherals that have been plugged into the computers.

"This information would definitely give an attacker a significant
advantage. It would give them a blueprint of the [targeted] network,"
said Alex Watson, director of threat research at Websense, which on
Sunday published preliminary findings of its Windows error-reporting
investigation. Watson will present Websense's discovery in more detail
at the RSA Conference in San Francisco on Feb. 24.

Sniffing crash reports using low-volume "man-in-the-middle" methods --
the classic is a rogue Wi-Fi hotspot in a public place -- wouldn't
deliver enough information to be valuable, said Watson, but a wiretap at
the ISP level, the kind the NSA is alleged to have in place around the
world, would.

"At the [intelligence] agency level, where they can spend the time to
collect information on billions of PCs, this is an incredible tool,"
said Watson.

And it's not difficult to obtain the information.

Microsoft does not encrypt the initial crash reports, said Watson, which
include both those that prompt the user before they're sent as well as
others that do not. Instead, they're transmitted to Microsoft's servers
"in the clear," or over standard HTTP connections.

If a hacker or intelligence agency can insert themselves into the
traffic stream, they can pluck out the crash reports for analysis
without worrying about having to crack encryption.

And the reports from what Microsoft calls "Windows Error Reporting"
(ERS), but which is also known as "Dr. Watson," contain a wealth of
information on the specific PC.

When a device is plugged into a Windows PC's USB port, for example --
say an iPhone to sync it with iTunes -- an automatic report is sent to
Microsoft that contains the device identifier and manufacturer, the
Windows version, the maker and model of the PC, the version of the
system's BIOS and a unique machine identifier.

By comparing the data with publicly-available databases of device and PC
IDs, Websense was able to establish that an iPhone 5 had been plugged
into a Sony Vaio notebook, and even nail the latter's machine ID.

If hackers are looking for systems running outdated, and thus,
vulnerable versions of Windows -- XP SP2, for example -- the
in-the-clear reports will show which ones have not been updated.

Windows Error Reporting is installed and activated by default on all PCs
running Windows XP, Vista, Windows 7, Windows 8 and Windows 8.1, Watson
said, confirming that the Websense techniques of deciphering the reports
worked on all those editions.

Watson characterized the chore of turning the cryptic reports into
easily-understandable terms as "trivial" for accomplished attackers.

More thorough crash reports, including ones that Microsoft silently
triggers from its end of the telemetry chain, contain personal
information and so are encrypted and transmitted via HTTPS. "If
Microsoft is curious about the report or wants to know more, they can
ask your computer to send a mini core dump," explained Watson. "Personal
identifiable information in that core dump is encrypted."

Microsoft uses the error and crash reports to spot problems in its
software as well as that crafted by other developers. Widespread reports
typically lead to reliability fixes deployed in non-security updates.

The Redmond, Wash. company also monitors the crash reports for evidence
of as-yet-unknown malware: Unexplained and suddenly-increasing crashes
may be a sign that a new exploit is in circulation, Watson said.

Microsoft often boasts of the value of the telemetry to its designers,
developers and security engineers, and with good reason: An estimated
80% of the world's billion-plus Windows PCs regularly send crash and
error reports to the company.

But the unencrypted information fed to Microsoft by the initial and
lowest-level reports -- which Watson labeled "Stage 1" reports --
comprise a dangerous leak, Watson contended.

"We've substantiated that this is a major risk to organizations," said
Watson.

Error reporting can be disabled manually on a machine-by-machine basis,
or in large sets by IT administrators using Group Policy settings.

Websense recommended that businesses and other organizations redirect
the report traffic on their network to an internal server, where it can
be encrypted before being forwarded to Microsoft.

But to turn it off entirely would be to throw away a solid diagnostic
tool, Watson argued. ERS can provide insights not only to hackers and
spying eavesdroppers, but also the IT departments.

"[ERS] does the legwork, and can let [IT] see where vulnerabilities
might exist, or whether rogue software or malware is on the network,"
Watson said. "It can also show the uptake on BYOD [bring your own
device] policies," he added, referring to the automatic USB device reports.

Microsoft should encrypt all ERS data that's sent from customer PCs to
its servers, Watson asserted.

A Microsoft spokesperson asked to comment on the Websense and Der
Spiegel reports said, "Microsoft does not provide any government with
direct or unfettered access to our customer's data. We would have
significant concerns if the allegations about government actions are true."

The spokesperson added that, "Secure Socket Layer connections are
regularly established to communicate details contained in Windows error
reports," which is only partially true, as Stage 1 reports are not
encrypted, a fact that Microsoft's own documentation makes clear.

"The software 'parameters' information, which includes such information
as the application name and version, module name and version, and
exception code, is not encrypted," Microsoft acknowledged in a document
about ERS.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and
general technology breaking news for Computerworld. Follow Gregg on
Twitter at  @gkeizer, on Google+ or subscribe to Gregg's RSS feed Keizer
RSS. His email address is gkeizer at computerworld.com.

-- 
Just because i'm near the punchbowl doesn't mean I'm also drinking from it.